On 02/05/2011 09:40 PM, Jason Gunthorpe wrote: > On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote: > >>> Isn't it called KRB5CCNAME? >> Yes. Some things (Amanda, at least from the directions, I haven't done >> it yet) actually still use service principals which are KRB5_KTNAME. For >> credentials in most clients, yes, KRB5CCNAME and that does work. > Amanda is doing what I described below internally. The keytab file > contains kerberos shared secrets so Amanda uses that to get a TGT. You > can't use kerberos without a TGT. The fact it is using a SPN or UPN > shared secret doesn't matter at the client. Great to know. Thank you. >> Yes, this refresh is EXACTLY what I have been trying to avoid with >> service principals. I am starting to wish that Samba 4 supported SASL >> CRAM-MD5 or something so that I could just use that; no refresh. > Put the kinit -k line in a crontab. That command gets a fresh TGT for > the machine account. > > Service principles just avoid having to create a new UPN in MIT > kerberos. In AD kerberos a SPN cannot get a TGT so that is > undoable. The machine account works in very similarly to how a SPN > would be used in MIT kerberos except that it is a UPN at the > KDC. Samba writes a keytab entry for the machine account that > contains the shared secret which lets kinit -k work. Ok, I had to use SPNs for part of the setup. I am now using the UPN they run under for my tests and everything seems to work ok. I cannot test it directly in Dovecot as the Linux distro I am using doesn't have the Postfix counterpart needed just yet, but the kinit -k works from the keytab I have setup. Hopefully I can test that soon. >> Thank you for all your input. I am afraid this is the same problem I am >> going to hit with Postfix (it does a similar setup to Dovecot, I am just >> not running the recent version yet that supports it). > Yes. Same answer, run it pointing to the same CC cache you setup for > dovecot. > > Be aware that both the keytab and the creditial cache are 'password > equilvients' and must be protected. > > Jason Yes, I was aware of this. Thank you very much for the reminder. So, all this time I just needed to be able to set an environment variable and since Samba and AD don't allow you to login using SPNs, just use the UPN I had the SPNs under for this CC setup.
Thank you, Trever Adams -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin
signature.asc
Description: OpenPGP digital signature